New malvertising campaign infects home and small business routers

New DNSchanger targets Chrome and gives attackers control over web traffic

A new campaign that infects internet routers with malware via malicious ads has been uncovered by researchers.

The researchers, working at security vendor Proofpoint, have analysed the use of an improved version of the exploit kit DNSChanger. The exploit kit is not new, dating back to 2007, but the researchers note several recent refinements in a new campaign that started in October. Proofpoint's website notes that these include:

• External DNS resolution for internal addresses

• Steganography to conceal an AES key to decrypt the list of fingerprints / default credentials and local resolutions and the layout for the commands sent to attack the targeted routers

• The addition of dozens of recent router exploits: There are now 166 fingerprints, some working for several router models, versus 55 fingerprints in 2015.

• When possible (in 36 cases) the exploit kit modifies the network rules to make the administration ports available from external addresses, exposing the router to additional attacks like those perpetrated by the Mirai botnets

• The malvertising chain is now accepting Android devices as well.

DNSChanger relies on vulnerabilities in the victims' internet router, particularly those designed for home and small business use.

Victims are served malicious ads which will infect their router via their browser. Most new DNSChanger infections have been found to affect the Chrome browser on Windows desktops and Android devices.

Infection occurs when the user visits a legitimate website that is serving malicious ads. The malicious ads send traffic to the DNSChanger exploit kit which then checks the victim's IP address. If the IP address is of interest to the attackers the victim is served a fake ad which contains Javascript code and an encryption key concealed within the image file. These scripts then search for the router and pass information back to the exploit kit, which then returms instructions on how to infect it based on its make and model.

The ultimate goal of the new malvertising campaign is not clear, say the researchers, but one result seems to be the stealing of traffic from ad agencies. However once attackers are able to control the DNS server on a network, they are able to carry out a wide range of actions including include "banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more".

A large number of routers are vulnerable to DNSChanger, including models by Linksys, Netgear, D-Link, Comtrend, Pirelli and Zyxel.

Unfortunately there is little that end users can do to avoid these attacks, except to ensure their router's firmware is up to date. For most home and small business users this generally means relying on the manufacturers to push updates, Proofpoint notes.